<p>Authorizations granted or not to users to access resources of an application should be based on strong decisions. For instance, checking whether
the user is authenticated or not, has the right roles/privileges. It may also depend on the user’s location, or the date, time when the user requests
access.</p>
<h2>Noncompliant Code Example</h2>
<p>In a Spring-security web application:</p>
<ul>
  <li> the <code>vote</code> method of an <a
  href="https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/access/AccessDecisionVoter.html">AccessDecisionVoter</a> type is not compliant when it returns only an affirmative decision (<code>ACCESS_GRANTED</code>) or abstains to make a decision (<code>ACCESS_ABSTAIN</code>): </li>
</ul>
<pre>
public class WeakNightVoter implements AccessDecisionVoter {
    @Override
    public int vote(Authentication authentication, Object object, Collection collection) {  // Noncompliant

      Calendar calendar = Calendar.getInstance();

      int currentHour = calendar.get(Calendar.HOUR_OF_DAY);

      if(currentHour &gt;= 8 &amp;&amp; currentHour &lt;= 19) {
        return ACCESS_GRANTED; // Noncompliant
      }

      // when users connect during the night, do not make decision
      return ACCESS_ABSTAIN; // Noncompliant
    }
}
</pre>
<ul>
  <li> the <code>hasPermission</code> method of a <a
  href="https://docs.spring.io/spring-security/site/docs/4.2.13.RELEASE/apidocs/org/springframework/security/access/PermissionEvaluator.html">PermissionEvaluator</a> type is not compliant when it doesn’t return <code>false</code>: </li>
</ul>
<pre>
public class MyPermissionEvaluator implements PermissionEvaluator {
    @Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
        //Getting subject
        Object user = authentication.getPrincipal();

        if(user.getRole().equals(permission)) {
              return true; // Noncompliant
        }

        return true;  // Noncompliant
    }
}
</pre>
<h2>Compliant Solution</h2>
<p>In a Spring-security web application:</p>
<ul>
  <li> the <code>vote</code> method of an <a
  href="https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/access/AccessDecisionVoter.html">AccessDecisionVoter</a> type should return a negative decision (<code>ACCESS_DENIED</code>): </li>
</ul>
<pre>
public class StrongNightVoter implements AccessDecisionVoter {
    @Override
    public int vote(Authentication authentication, Object object, Collection collection) {

      Calendar calendar = Calendar.getInstance();

      int currentHour = calendar.get(Calendar.HOUR_OF_DAY);

      if(currentHour &gt;= 8 &amp;&amp; currentHour &lt;= 19) {
        return ACCESS_GRANTED;
      }

      // users are not allowed to connect during the night
      return ACCESS_DENIED; // Compliant
    }
}
</pre>
<ul>
  <li> the <code>hasPermission</code> method of a <a
  href="https://docs.spring.io/spring-security/site/docs/4.2.13.RELEASE/apidocs/org/springframework/security/access/PermissionEvaluator.html">PermissionEvaluator</a> type should return <code>false</code>: </li>
</ul>
<pre>
public class MyPermissionEvaluator implements PermissionEvaluator {
    @Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
        //Getting subject
        Object user = authentication.getPrincipal();

        if(user.getRole().equals(permission)) {
              return true;
        }

        return false; // Compliant
    }
}
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">OWASP Top 10 2021 Category A1</a> - Broken Access Control </li>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control">OWASP Top 10 2017 Category A5</a> - Boken Access Control </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/285.html">MITRE, CWE-285</a> - Improper Authorization </li>
</ul>

